Posted
by
CowboyNealon Thursday May 03, 2007 @08:18PM
from the don't-look-at-me dept.

An anonymous reader writes "A new device devised by Amsterdam graduate student Melanie Rieback is designed to serve as a portable firewall for RFID tags. The portable battery-powered RFID Guardian uses an access control list to filter RFID queries, blocking queries that aren't approved. Rieback, who is also known for being the first researcher to develop a proof of concept RFID virus, hopes to offer version 3.0 of the RFID Guardian to the public at cost."

Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?

From TFA:

Eventual plans call for the Guardian to be incorporated into cell phones and PDAs, but the current model is a pocket-sized device that runs on its own battery and provides a circular 1m field of control over RFID tags, jamming any tags that the user does not want read.

Not quite.It only works with 13.56Mhz tags and only a not very widely used air protocol. This device requires intimate knowledge of the air protocol used to communicate with the tag. It must know exactly which frequencies the tag will communicate back on in order to function.

The health care market is using 13.56Mhz tags, but they're not using the air protocol her device uses, so it won't know where to do the jamming. The consumer goods market isn't currently tagging on a per-item basis, but when they do get

No, this is an active jamming device, and as the other readers indicate, may only work at a particular frequency or communications protocol.
However Smart Tools offers an RFID Shield - a passive device that prevents your RFID card from being detected or communicating, and is independent of frequency or protocol. There's info and a picture at:
http://smarttools.home.att.net/rfshield.htm [att.net]

So does that mean you could theoretically create a virus that would make all RFID enabled passports identify themselves as belonging to known/suspected terrorists? That would make for a million laughs on April 1...

Basically, it uses buffer over flows to insert nasty code into a computer. The RFID chips contain the code and when read exploit problems in the reader. You can use commercially available tools to write your own RFID chips. Have fun.

Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.There are plenty of legitimate uses for RFID. But I would agree it should always be used transparently, and once an item is yours, you should be able/allowed to remove the tag. (Note that passports, I beleive remain property of the US and are just issued to

Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

Another big retail selling point is to set up scanners at doors and set off an alarm if an item passes through that is allegedly still in the store's inventory. You can bet retail chains will lobby against Guardian and similar technologies.

It is harder to forge but not because of some stupid restriction like "the stuff is harder to get". Any fool can write a RFID tag with quite reasonably priced equipment as well. The security actually comes from the cryptographic hash of the digital data also on the RFID tag. Therefore, if the digital data matches the physical printing of the data, and the cryptographic hash checks out, then you have within a good degree of certainty that the passport is legit. Of course, who knows if the secret hashing algorithm has been leaked or not, but that's a totally different concern.

With that said, a wireless technology is completely stupid for this sort of application. Any official checking a passport is going to be physically handling it anyway, so what's wrong with requiring a physical connection, like that in a smartcard?

Considering the fact that this technology is so new, why can't we start by making RFID more secure in the purest sense? Today's other article about the "unimportance" of IT in a world without viruses is crazy to discuss when a majority of the world uses inherently insecure systems. Let's lock this one down now before it gets out of control.

One of these days, someone should invent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read when I take it out and present it to the reader, rather than readable by anyone without be uncovering it. That makes sure only those I want can read it, and keeps it safe from being read without my knowledge, much less consent.

I think I have an idea! I'm gonna go patent it now. I'll call it a "barcode"! Yeah, that's the ticket!

nvent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read

You've just hit on the essential limitation of cryptography. Make up your damned mind, do you want people to read it, or not?

If _someone_ (ie the GOOD guy) can read it, then AUTOMATICALLY the BAD guy also can read it - IF he manages to figure out the algorithm. QED. There is no more. Everyone who tries to sell you an idea where ONLY the "G

umm, How can the bad guy read my barcode if I don't take it out of my pocket. You can't stand behind me in line and read the barcode in my passport. You can't make a device to read the barcodes on the licenses of other people in the elevator. But RFID is ripe for this. It's not a matter of cyptography, it's a matter of easy, obvious, physical control of the information.

The whole point of RFID for some applications is to be able to read them without physically sighting every one.

For instance, store inventory. Walk down an aisle with an RFID reader - 5 minutes to a perfect count. Walk down the same aisle, with a barcode scanner, and scan every item one at a time - many hours, if yer lucky.

The whole point of RFID for some applications is to be able to read them without physically sighting every one.

For instance, store inventory. Walk down an aisle with an RFID reader - 5 minutes to a perfect count. Walk down the same aisle, with a barcode scanner, and scan every item one at a time - many hours, if yer lucky.

Actually you made a mistake,it is 5 minutes to a perfect count, but only a perfect count of the rfid chips......It still does not tell you how many of the product is actually on the shelves.

Barcodes aren't the greatest answer, as they are vulnerable to spoofing.

Imagine two barcodes that look like this:

| || |l| || |11| | |||
12345

and this:

| || || |l| |11| | |||
12345

Both look like barcodes (please forgive the characters used to dodge the lameness filter.) Both have HRIs (human readable interfaces) beneath them. But one is a forgery, and actually scans to the value 13245. Unless the person with the barcode scanner is actively verifying the numbers match (or is verifying other aspe

To elaborate a bit, suppose a store used the RFID tags to ring up purchases at the store.Your RFID reader would read various tags while you walk down the aisles of a store. Then, while you are near the checkout line, it would transmit them to a reader (it would have more distance than a passive tag) and provide the ids it read to the reader as if it were a tag. Someone standing in line to buy $25 worth of purchases would find the store rang it up to include two or three tvs, stereos, a dozen pairs of shoe

They don't have to. It's already illegal to use one for shoplifting [justia.com] in Minnesota, and I assume that most states have similar laws. All they have to do when they find one in your pocket is accuse you of trying to shoplift. Not only is the device itself pretty strong evidence, but you get 3 bonus years in jail if you're convicted.

This is a really interesting device, I wonder if it has some darker uses, though...

Could you use this device to assist shoplifting by having it in your pocket when you walk past the RFID readers at the store entrance? This would effectively block the readers from being able to "see" the RFID security tags on the merchandise.

Depending on how low-cost these devices are (they are planning to sell them at cost, after all), could someone attach one surreptitiously to the bottom of a modern car preventing the RFID tag built into the ignition key from being read, thereby disabling the car?

Here in New Zealand, they recently passed a law requiring that all pet dogs have RFID chips implanted in them. It would be laughable if a small version of this were made which would could be attached to the collar of the dog to effectively disable the RFID chip implanted in them (admittedly I can't see this particular usage being helpful the the dog or the owner in any way, but it is funny to think about).

Other issues:

Since this is a powered transmitting device, it might not be legal to have it turned on while on board an airplane in flight. Since it can't be effective while turned off, it would still be possible to read passports of people in-flight unless protected by some other means (aluminum foil, farraday cage).

1. Nobody is using RFID for store inventory control. They use far simpler resonators that are cheaper.

2. Not sure, but most cars aren't using RFID. They use something sort of like RFID but not RFID.

What's wrong with just using a wideband jammer, something like a spark-gap transmitter? It would block all radio signals within a one or two mile radius and completely solve any radio frequency problems.

1. you don't know what your talking about - walmart use it for crying out loud.
2. you don't know what your talking about - if it's a chip powered by RF that id's itself when near a reciever, then's RFID....
wideband jamming? you do realise that takes more power then a couple of aa batteries can supply, and it is also going to result in the local authorities investigating who took out the local FM/AM channels and other radio channels and putting your arse in jail for a long time.

I assume the GP meant to say it this way: "Nobody is using RFID exclusively for inventory control" which is a correct statement. 'Inventory control' is the retailer's phrase meaning "shoplifting detectors", and if all you're interested in is stopping shoplifting, resonance tags (Checkpoint, et al) are a fraction of the price of RFID tags. All the stores using RFID that I'm familiar with are using it for much more than inventory control: logistics and transportation, warehousing, stock replenishment, and

It's nice to see that this technology will be available, but I won't be long before it's regulated to the point of uselessness I think. RFIDs are going into too many things, and while 1 metre can be nice covering in some situations, it will be intrusive in others. First off Passports and Drivers licenses of many states carry RFID tags now. I can't imagine customs officials wanting to wait around while you turn off your jamming device or if a police officer would be happy if he tried to read the tag at your

I saw Melanie's talk at What The Hack in summer 2005, and got to speak with her a little afterwards.
That was before the virus made news, but her interests in RFID were in strong evidence.
Here's the abstract: program.whatthehack.org [whatthehack.org]
Here's video (MP4) of her talk, "Fun and Mayhem with RFID:" rehash.whatthehack.org [whatthehack.org]
You can find other videos from WTH at the same site (disclosure: I'm there, too!)

The reason bar codes are not sufficient is that once they are read, they can be easily copied. The same goes for any static message transmitted by an RFID tag. Also, the database can obviously be corrupted by an evil government or disgruntled worker. If you really want to have a forge-proof solution you will need to implement something like OpenPGP in every passport. I can't wait until the day where politicians and media will have to be careful with their creditability or risk having a significant number o

The reason this device is so complex appears to bethe desire to allow reponses selectively.

Wouldn't it be easier and cheaper to make a simple jamming device?Say in a small pouch for storing the passport, etc. with even weakerpower so that only 1 foot radius is covered.When you need to use the passport, take it out of the pouch.

Wouldn't it be easier and cheaper to make a simple jamming device?
Say in a small pouch for storing the passport, etc. with even weaker
power so that only 1 foot radius is covered.
When you need to use the passport, take it out of the pouch.

Yes... some type of device to disable the RFID unit. Perhaps some type of button... one which would turn it off when not in use?